The HIPAA Omnibus Final Rule brings a significant change to the HIPAA/HITECH Breach Notification Rule. Prior to the HIPAA Omnibus Rule, organizations were required to perform a risk assessment to determine if there was likely harm to a patient resulting from a privacy breach. Determining if the breach resulted in harm was referred to as the “harm threshold”.
Changes under the HIPAA Omnibus Rule
As mentioned, the HIPAA Omnibus Rule has significantly changed what is and what isn’t a reportable breach. The “harm threshold” has been replaced with a more objective risk based approach. The Omnibus Rule now defaults to a reportable breach unless the organization can prove otherwise. In other words, you are guilty unless you can prove you are innocent. You have to report a breach unless you can prove that you do not have to report the breach.
The “hard threshold” allowed for a subjective analysis of whether a breach would pose harm to a patient. This allowed organizations to determine if they should or should not report a breach of patient information. Let’s look at the factors that organizations need to look at under the Omnibus Rule.
- The nature and extent of the protected health information (PHI) involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the protected health information or to whom the disclosure was made
- Whether the protected health information was actually acquired or viewed
- The extent to which the risk to the protected health information has been mitigated
Taking a look at each of the 4 factors
- The first factor to consider is the nature and extent of PHI involved. What information was involved in the breach? What names, social security numbers, credit card information, etc were included? If it was internal patient codes that didn’t disclose names of patients, what is the likelihood that the other information can be used to identify a patient?
- The second factor to consider is who was the information disclosed to? Was it another physician that was accidentally sent the wrong patient’s records? Was it hackers looking to sell patient information on the black market?
- The third factor and probably the most significant is whether the information was actually acquired or viewed. This is where an organization is guilty until proven innocent. Let’s take the scenario of a laptop that is lost or stolen. The laptop contained patient information and was NOT encrypted. It is the organization’s responsibility to prove that the patient data on the lost laptop was not accessed or viewed. Unless the organization can retrieve the lost or stolen laptop AND prove forensically that the information on the computer was not accessed, they have to assume it was a breach. The chance of retrieving a lost laptop and proving that the data was not accessed is very remote. This will cause a lot more breach notifications as the result of lost or stolen laptops, smartphones, USB drives, etc. It should be noted that if the device is encrypted then the breach does NOT need to be reported regardless of whether the device is retrieved or not. Encryption continues to be a “safe harbor” that does not require notification.
- The fourth factor looks at how a breach was been handled and mitigated. An example is that an incorrect patient record was sent via email to another physician. The employee realized their mistake and called the physician’s office and spoke with person that the email was sent to. The person assured the employee that the email would be deleted. In that case there is a low probability that the information would actually be used or shared.
More Breach Notifications
The changes to breach notifications as a result of the HIPAA Omnibus Rule is significant. Organizations have to take a much more objective approach to breaches and notifications. As demonstrated, organizations are now guilty until they can prove themselves innocent. This will result in a lot more breach notifications being sent to patients and reported to HHS/OCR.
Find out more about the HIPAA changes under the Omnibus Final Rule. Download our 7 Things You Must Know About HIPAA Security. It’s packed with very useful information!
Last year the Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA, conducted 115 HIPAA compliance audits. The program is being looked at as a pilot project that will eventually be used to put in place a permanent audit program. According to a HealthcareInfoSecurity interview with OCR’s Susan McAndrew:
A contractor is evaluating the results of last year’s 115 HIPAA compliance audits conducted as part of a pilot project. “We’re looking to the evaluation as helping guide us as to where we can best concentrate our efforts, and clearly the funding situation needs to be sorted out for the audit function,”
Fines will fuel OCR budget
OCR’s director Leon Rodriguez told HealthcareInfoSecurity that the audit program will begin again in late 2013 or beginning of 2014:
“My best guess is that [audits] will continue either in the latter part of 2013 … [or] certainly by 2014, we’ll be back in the business again,” the nation’s chief HIPAA enforcer says. “A lot depends on what our resources look like.”
Monetary penalties that OCR imposes as a result of its various HIPAA enforcement actions will fund continuation of the audit program, he notes. Over the last year, OCR has collected about $4 million in a handful of settlements.
And be warned: Rodriguez says healthcare organizations should expect to see OCR issue more and larger monetary penalties for HIPAA non-compliance in the months to come. OCR has an “inventory” of ongoing investigations that Rodriguez expects will conclude with monetary settlements.
OCR budget to increase slightly
The HHS Office for Civil Rights, which is responsible for HIPAA enforcement, would have a budget of $42 million, up $1 million. That small increase would be used primarily for enforcement of the HIPAA Security Rule. The budget would support adding seven full-time staff, bringing the total to 233.
The HHS budget document says OCR received almost $4 million as a result of penalties included in settlement agreements tied to HIPAA violations in fiscal 2012 and anticipates generating $5.5 million from those actions in fiscal 2013. OCR uses funding received through civil monetary penalties and settlements to help support HIPAA enforcement activities.
Number of patient records breached increasing
The count of patient records breached since 2009 continues to increase. The last count had the number at 22 million records breached.
What this all means
Taking all the information into account, one can reasonably conclude that OCR is gearing up to increase HIPAA enforcement by the end of 2013 into 2014. With a business model of using HIPAA fines to fuel the OCR budget, OCR will have many more resources to enforce HIPAA compliance.
You can either enjoy the calm before the HIPAA compliance enforcement storm or you can start making sure you are complying with the HIPAA regulations. Organizations that take HIPAA compliance seriously will be in much better shape than those who chose to ignore it.
When the storm comes, make sure you are protected!
7 Things you must know about HIPAA Security
A potential client asked us on a conference call:
What sets HIPAA Secure Now! apart from your competition? A lot of companies offer similar services.
I thought about the question for a second before responding. The client was right. There are a lot of companies that offer similar services. I responded:
What sets HIPAA Secure Now! apart from other companies is our customer centered focus and our employees. Sure we have state of the art compliance tools and our HIPAA compliance portal is unmatched but that is not what sets us apart. We are unique in that we offer a complete bundle of compliance services including risk assessments, policy creation, employee training and an array of technology solutions to help all organizations comply with HIPAA security. But that is not what sets us apart.
What sets us apart is our staff that truly wants to help clients with HIPAA security. We are with you and help you from the time you are interested in the service through every step on your way to HIPAA compliance.
Offering great online tools is fine but HIPAA security is a complex subject. We feel that it is critical to take the time to explain to clients the HIPAA requirements, give real examples of potential security issues and be there to answer their questions.
HIPAA Secure Now! is high tech but we are also high touch. A unique blend of technology to streamline the HIPAA compliance process combined with an absolute customer focused mindset. This mindset provides the human guidance and expertise to help our clients navigate through the complex maze of HIPAA security compliance.
That’s what sets HIPAA Secure Now! apart!
The HHS Office for Civil Rights (OCR) announced that it has fined Idaho State University (ISU) $400,000 for failing to protect patient information.
The HHS Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.
OCR goes into more details in the Resolution Agreement posted on their website:
Factual Background and Covered Conduct. On August 9, 2011, HHS received notification from ISU regarding a breach of its unsecured electronic protected health information (ePHI). On November 22, 2011, HHS notified ISU of its investigation regarding ISU’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’ investigation indicated that the following conduct occurred “Covered Conduct”).
- ISU failed to conduct an appropriate risk assessment between April 1, 2007 and November 26, 2012;
- ISU failed to implement adequate security protections during the same time period to protect electronic protected health information (ePHI); and
- ISU did not regularly review information system (IS) activity to determine if ePHI was inappropriately used or disclosed.
The three findings are interesting because they represent HIPAA requirements that many organizations are not complying with.
A HIPAA Risk Assessment is the core of the HIPAA Security Rule. A Risk Assessment will provide an organization with the information they need to properly protect patient information. A Risk Assessment will look at where patient data is stored, how it is being protected and what are the risks to the data. In addition, a HIPAA Risk Assessment will provide suggestions for additional security measures that should be implemented.
Inadequate Security Protections
The second point goes directly with the failure to perform a Risk Assessment. Without the Risk Assessment an organization does not know what the risks are to patient information. Without knowing the risks, an organization may not put the proper protections in place.
Think about a patient going to the doctor. The patient might ignore some actions they are taking and its effect on their health. Only when the doctor says “If you don’t change your lifestyle you will be dead in 2 years”. The patient now knows the real risks to their health and might make the lifestyle changes needed to avoid the consequences. A HIPAA Risk Assessment will provide the same insight.
Information System Review
The third point is one that we see over and over again. Many organizations do not review system information activity. System information activity logs record access to patient information. They record:
- Who accessed patient information
- When patient information was accessed
- What patient information was accessed
Without reviewing system information activity an organization is blind to what is happening with their electronic patient information. Reviewing system activity can reveal interesting trends that might alert an organization that illegal activity is occurring or that patient information is being accessed in an inappropriate way. Examples include:
- That one employee is accessing 400 patient records a day when all other employees are only accessing 20 patient records a day. This employee might be downloading patient information and selling it for criminal activity
- There is a lot of patient information being accessed after normal working hours. This could be an indication that a hacker is illegally accessing patient information
Without reviewing system activity, an organization might be blind to what is happen to patient information. Illegal or inappropriate access might be occurring right under their nose.
It cost Idaho State University $400,000 plus significantly more to notify patients and address the findings in the OCR Resolution Agreement.
Unfortunately many organizations are guilty of failing to protect patient information and do not perform the 3 items that caused Idaho State University to receive a $400,000 HIPAA fine.
understand the HIPAA Risk Assessment process
Introduces New HIPAA Compliant Data Backup Service, HIPAA Secure Backup Powered by BUMI
Morristown, NJ (PRWEB) May 21, 2013
HIPAA Secure Now! and BUMI (Backup My Info!) announced today a new HIPAA compliant data backup service called HIPAA Secure Backup Powered by BUMI. BUMI is the premium provider of managed online backup and recovery solutions for small to mid-sized businesses. Under HIPAA Security Rule 164.308(a)(7)(ii)(A), medical providers and their business associates are required by law to implement a data backup plan that ensures Protected Health Information (PHI) is properly safeguarded.
HIPAA Secure Backup Powered by BUMI ensures that data is encrypted prior to being sent to the BUMI servers and that data remains encrypted on the servers. BUMI will sign a required HIPAA business associate agreement with either a covered entity or business associate (healthcare organizations and their contractors) to certify that they comply with the new HIPAA Omnibus Rule. The service is fully managed from the software installation to monitoring backups, notifying clients if there are issues with backups, and 24×7 live support and data recovery.
“One of the most frequently asked question we get from our clients is concerning HIPAA compliant data backup services,” explained HIPAA Secure Now! President and CEO Art Gross. “Our clients are looking for an automated, fully managed, affordable, HIPAA compliant backup service that not only helps protect patient information but helps them with HIPAA compliance. BUMI ensures that data backups comply with HIPAA regulations and signing a HIPAA business associate agreement ensures compliance with the HIPAA Security and Omnibus Rules. In addition, their 24×7 live support is unmatched.”
“Our clients are looking for an automated, fully managed, affordable, HIPAA compliant backup service that not only helps protect patient information but helps them with HIPAA compliance.” Art Gross, President and CEO, HIPAA Secure Now!
Jennifer Walzer, President and Founder of BUMI (Backup My Info!) said, “We are excited to be working with HIPAA Secure Now! to help healthcare organizations and their associates ensure compliance. Our fully managed, premium backup and recovery solution provides healthcare organization the peace of mind that their patient data is securely backed up and complaint with HIPAA regulations.”
About HIPAA Secure Now!
HIPAA Secure Now! has been helping clients comply with the HIPAA Security Rule since 2009. HIPAA Secure Now! is the fastest and easiest way to HIPAA compliance. HIPAA Secure Now! performs our client’s Risk Assessment; writes their policies and procedures and trains their employees on how to protect patient information. In addition, HIPAA Secure Now! offers a full suite of technology products to protect patient information including email encryption, mobile encryption, data backup, disaster recovery and network security. For more information visit https://www.hipaasecurenow.com.
Founded in 2002, BUMI (Backup My Info!) specializes in delivering online backup and recovery solutions for small to mid-sized businesses. Based in New York City, BUMI provides an off-site data protection solution that addresses critical issues such as rapid growth of data, business continuity, and regulatory compliance. Every BUMI client is cared for by a team of senior-level engineers dedicated to providing proactive and personalized support. Clients include professional service organizations such as banking, financial, insurance, accounting, hedge funds and law firms. For more information, visit http://www.backupmyinfo.com, call (866) 444- BUMI (2864)
Risk of owning a car
If you take a step back and think of the risks of owning a car I think you would be shocked. Cars have associated risks that could significantly impact you and your family. Some of the risks include:
- The risk of being hurt or killed in a car accident
- The risk of hurting someone else in a car accident
- The financial risk of being hurt and the associated medical costs
- The financial risk of hurting someone else and being sued
- The financial risk of someone stealing your car
- The financial risk of repairs to your car
Owning a car may be one of the most risky investments that a person makes. But yet we get in our cars every day and drive to work or bring our children to baseball practice. In fact most of us don’t even think about the associated risks. Why is that? Some of the reasons we don’t worry about the risk that automobiles present us is that we have taken steps to minimize the risk. Some of the steps include:
- We buy cars with advanced safety features to protect us in the event of an accident
- We have medical insurance to offset expenses in case we are hurt in an accident
- We have car insurance to cover expenses of accidents or if our cars are stolen
- We obey traffic regulations that are in place to make driving cars safer
Risk of maintaining patient information
So as you can see, we have put in place safeguards to protect us from the risks that our automobiles present us.
Like cars, electronic protected health information (ePHI or patient information) present us with significant associated risks. Some of the risks include:
- The financial risk of regulatory fines for non-compliance with HIPAA regulations
- The financial risk of security data breaches that disclose ePHI
- The risk of negative publicity or reputation damage in the event of a data breach. Negative publicity could have associated financial risk of patients leaving or not using to a medical practice
Have you thought about what the impact would be if any of these events would happen?
- What if you receive a $200,000 HIPAA fine for non-compliance?
- What if you had $300,000 of breach related expenses due to a security breach? Expenses include IT forensics, legal expenses, patient notification expenses, etc.
- What if you received a HIPAA fine and your search results in Google displayed stories on your HIPAA violation? Would this have an impact to existing or new patients?
Patient information safeguards
As you can see, maintaining ePHI has associated risks that could significantly impact your organization. Like owning a car, it is critical that you put in place safeguards to minimize the associated risks. Some of the safeguards include:
- Performing a HIPAA Risk Assessment to understand what security safeguards need to be implemented to protect ePHI
- Training employees on how to protect ePHI
- Implementing encryption on laptops and smartphones to minimize the risk if these devices are lost or stolen
- Purchasing HIPAA / Cyber insurance to offset the expenses of regulatory fines or breach related expenses
Maintaining ePHI is risky but like owning an automobile, it is possible to implement safeguards that offset the associated risk. But not understanding the risks or not putting in place the appropriate safeguards could significantly impact or cripple an organization.
- Would you purchase a car without purchasing insurance?
- Would you drive a car without using seat belts or put your children in a car without seat belts?
- Would you drive through red lights or disobey traffic regulations?
Most likely the answer to the above questions is NO! Take a step back and seriously look at the risk of having ePHI. Make sure you take steps to protect your organization against the associated risks of having electronic patient information.
Don’t drive without seat belts!
understand the HIPAA Risk Assessment process
HIPAA Security Tips: The Dangers of Smartphones
Click on above to view in fullscreen mode!
Learn more about Smartphone encryption and our other HIPAA security products. Visit our HIPAA Technology Suite page for more details.
The below infographic provides good insight into common myths of HIPAA compliance for medical practices.
Thanks goes out to HIPPOmsg for putting the infographic together!